Is iOS secure enough for the enterprise?

iOS is making inroads into the enterprise right now, largely thanks to the growth of the BYOD trend. But does it pose a security risk?

by
Ben Camm-Jones| 14 Apr 12

iOS is making inroads into the enterprise right now, largely thanks to the growth of the BYOD (bring your own device) trend.

However, a new report (PDF) from security firm Trend Micro suggests that RIM's new OS, BlackBerry 7, is the most secure platform for businesses, ahead of iOS. With RIM having recently stated its intention to refocus on the business market (though not abandon the consumer space, as some reports incorrectly claimed) could Apple's progress into the enterprise be stalled?

"Corporate-grade security and manageability" makes BlackBerry 7 the option of choice for enterprise, says Trend Micro's report, though it isn't without its problems.

"Many features and protections that are commonly enabled or enforceable via the BlackBerry Enterprise Server (BES) are not present on devices that are user-provisioned via BlackBerry Internet Services (BIS). In fact, some of the strongest features restricting high-risk activities that users may undertake, such as removal of password protection for the device, may be rendered inactive if a user’s device is not provisioned via the BES," Trend Micro says in its report.

And while iOS 5 came second to BlackBerry 7 in the rankings, which Trend Micro scored on a combination of factors including built-in security, application security, authentication, device wipe, device firewall and virtualisation, it was placed ahead of Windows Phone 7.5 and Google Android 2.3.

Indeed, there is plenty to recommend iOS 5 for enterprises, the report says. "The iOS application architecture natively provides users much protection because all applications are 'sand-boxed' in a common memory environment. Security in iOS also extends to the physical attributes of the iPhone and iPad.

"There are no options for adding removable storage, which in effect provides another layer of protection for users. Apple also compares favourably to BlackBerry insofar as the BlackBerry IT administrator has complete control over the device, whereas in iOS, the IT department can only configure items once the user has supplied their permission."

Previous research from Trend Micro, though, has highlighted some of the risks that iOS devices in the enterprise can cause. For a start, the popularity of the platform makes it a target for cybercriminals.

"Cybercrime is a multi billion dollar industry, funded and resourced like legitimate business operations. The criminal gangs need to know that any investment in their own resources is going to provide a decent return, and the best way of guaranteeing that is by targeting the one large homogenous platform, just as they did with Windows in the 90s. In the mobile world, this means iOS," Trend Micro's Cesare Garlati wrote on the company's Trend Consumerization blog back in February.

Secondly, there is the problem of jailbreaking to deal with. "The very control which the firm applies so rigorously to its ecosystem could be its undoing. You’ve probably noticed, but users don’t take kindly to being told what to do. Apple has blocked content in the past, and it has forced users to pay additional charges to turn on Wi-Fi hotspot functionality. This kind of uncompromising philosophy has driven many to jailbreak their phone with a 'my device, my rules' kind of attitude. And a jailbroken phone is not a secure phone," Garlati said.

But when push comes to shove, mobile devices - whether BYOD or centrally issued - are going to pose a risk of some sort. By trying to make a platform appeal to consumers, though, the needs of enterprise users are often neglected, Trend Micro says.

"Against the growing, unstoppable backdrop of consumerization and BYOD, every mobile device is a risk to business. What is interesting in these results is that, whilst some mobile platforms have evolved very noticeably along enterprise lines, there is still a strong ‘consumer marketing’ legacy in some quarters and this is negating some of the progress made on the enterprise front. Indeed, some of the attributes we have examined in the report are still firmly 'enterprise-unready'," said Raimund Genes, CTO of Trend Micro.

Indeed, consumer devices are still causing chaos for IT departments in many companies, anecdotal evidence suggests. It is also debatable whether BYOD policies actually save a company money, too. So while the security risks of iOS in the enterprise can be managed, you'll need to think about the problems it'll cause in terms of cost and support.